The Washington PostDemocracy Dies in Darkness

Federal employees may soon be ordered to work from home. That could pose serious cybersecurity risks

The coronavirus outbreak may prompt the federal government’s biggest telework experiment to date.

Chad Wolf, acting secretary of the Department of Homeland Security, testifies during a Senate Homeland Security Committee hearing on Capitol Hill on Wednesday. (Alex Wroblewski/Bloomberg News)

Hundreds of thousands of federal workers and congressional staff may soon be asked to work remotely full time as the coronavirus spreads, putting reams of sensitive government data at higher risk of hacking and threatening to overwhelm outdated government computer systems.

The surge in telework will mark a first-of-its-kind test for the government, which has struggled to update and secure its arcane technology systems after a string of damaging data breaches during the Obama administration.

[Hacks of OPM database compromised 22.1 million people]

If U.S. adversaries such as Russia or Iran compromise networks during the pandemic, they could disrupt efforts to mitigate the virus by stopping or slowing vital government communications. They could also sow chaos by sending phony alerts about the virus to the government workforce or the public.

“This is a make or break moment, and we won’t know what we get until we see it,” said Greg Touhill, former federal chief information security officer during the Obama administration.

So far, no federal agency or department has mandated their employees go home and log on to do their business, even as President Trump declared a national emergency to free up $50 billion in disaster relief for state and local governments.

[Read our live blog with the latest news on coronavirus and the Trump administration’s response]

Larger agencies such as Health and Human Services and the Energy Department have advised employees about safety precautions while they prepare remote working agreements, in case working from home full time becomes necessary. A handful of smaller agencies have offered employees the opportunity to work remotely, including the Securities and Exchange Commission, where a suspected infection caused 2,400 workers in that agency’s headquarters to head home.

Only about 40 percent of the 2.1 million federal workers were authorized to work remotely as of 2017, the last year in which data is available. And the Trump administration had been working to limit remote work, demanding some civil servants instead come into the office to perform their jobs. But as broad swaths of the private sector, school districts and local governments have moved quickly to limit the virus’s spread, the administration’s stance is changing, and it is now urging agencies to sign remote working agreements with as many employees as possible.

On Monday, the White House ordered employees across the government to be ready to telework full time if necessary, but it has released little guidance about how to remain secure while doing so.

In an email, Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee, called that lapse “inexcusable.”

D.C. Mayor Muriel E. Bowser (D) said all events with more than 250 people in attendance must be postponed or canceled. (Video: Mayor Muriel E. Bowser)

“As the federal government prepares for what is likely to be an unprecedented experiment in telework, it’s also expanding opportunities for malicious actors to attack and potentially disrupt vital government services,” he said.

Furthermore, it is far from clear that government computer servers are prepared to handle the traffic from thousands of employees trying to access them from outside the office. The virtual private networks through which workers would likely sign on are often decades old and not designed to handle massive traffic volumes.

Many federal employees also lack government-issued laptops and phones, raising the specter of them logging on from their homes or coffee shops with devices that lack basic security features and are not patched against the latest bugs.

“You’re going to have a lot of folks that are going to inevitably be doing government business from their personal devices. I think that’s just a reality,” said Suzanne Spaulding, who led cybersecurity operations for the Department of Homeland Security during the Obama administration. “This just creates an opening for malicious activity of all kinds,”

Federal workers could also be using public WiFi networks that are not secure against hackers. And they will be more vulnerable to phishing emails and texts that look legitimate but actually contain malicious software. For example, hackers could pretend to be an employee’s boss or co-worker who’s locked out of a government email system and is instead using a personal Gmail account.

Cyber officials within the vast federal bureaucracy were working quickly for any contingency.

For columnist Geoffrey A. Fowler, tech has been a blessing and a curse while he works at home. How has it been for other workers? (Video: The Washington Post)

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a checklist Friday to help agencies ensure remote employees are operating as securely as possible. The agency did not respond to detailed questions about how it plans to deal with security challenges during what could be an extended telework period. Pentagon leaders are urging some divisions to implement telework to the maximum extent possible, a spokeswoman said.

The DHS checklist includes requiring employees to perform extra authentication checks beyond entering a password to remotely access government files and expecting an increase in phishing emails.

Besides the SEC, other agencies urging remote work include U.S. Citizenship and Immigration Services and the Federal Deposit Insurance Corporation. DHS announced last week that it had closed its Seattle field office for two weeks after an employee tested positive for coronavirus.

Other agencies have been conducting day-long telework sessions for all or most employees as “stress tests,” to see if computer systems can handle the strain.

CISA conducted one such test Friday. Similar tests have been conducted by NASA, the National Oceanic and Atmospheric Administration, and the Energy Department. One Energy Department employee who worked from home during an agencywide test told The Washington Post that he was able to log on but that the agency network was “very slow.”

Chief information officers have been meeting regularly in recent weeks to confront myriad challenges they don’t have ready answers for, such as whether agencies will have enough help desk employees to troubleshoot computer issues and how they will handle system crashes.

For government workers that do highly classified work, however, there is no way to work remotely, even if the outbreak gets worse.

A spokesman for the National Security Agency, whose work collecting foreign intelligence is highly classified, said the agency is continuing its work with no "reduction in mission."

Some top government officials have secure workspaces — known as Sensitive Compartmented Information Facilities, or SCIFs — set up inside their homes and have phones and tablets they can use to read and respond to classified documents.

The vast majority of intelligence workers, however, have no choice but to do their work in highly secure government-managed buildings. In the past, officials have managed through snowstorms and other natural disasters by working rotating shifts, and agencies have plans for pandemics that include reorganizing workspaces so employees can keep larger-than-usual distances between each other, former officials said.

The decision to telework is already taking hold in Congress, where numerous lawmakers have announced their offices will be working remotely, including the House Veterans’ Affairs Committee and the offices of Sen. Ted Cruz (R-Tex.), who has extended his self-quarantine after coming into contact with two infected individuals, and Sen. Tom Cotton (R-Ark.).

The House Administration Committee sent a memo Wednesday to all lawmakers outlining how offices can set up temporary telework plans for their staff members and directing them to the chamber’s office supply store to buy secure laptops and other technology.

The chamber’s tech support office has also set up shop in the Rayburn House Office Building cafeteria from 9 a.m. to 3 p.m. each day to configure security features on the laptops of staffers who are preparing to work remotely, according to a copy of the memo shared with The Post.

“Members of both chambers are beginning to telework at unprecedented levels, and this means an increased risk of cyber threats,” said Rep. Kathleen Rice (D-N.Y.), who sponsored a bill mandating lawmakers get cybersecurity training that recently passed the House.

“This situation is concerning and it underscores exactly why it is so important that members and their staff are well-versed in cybersecurity best practices.”

A memo from the Senate sergeant-at-arms office, meanwhile, offers mostly pro forma security advice such as ensuring staff laptops are all up to date on security patches.

“It’s ridiculous that they’re just preparing for this now. This has been a known threat for weeks at least,” said Daniel Schuman, policy director for the liberal advocacy group Demand Progress who writes a newsletter about Congress.

Schuman’s group has urged both chambers to close all congressional offices and hold votes using digital technology while the pandemic unfolds.

Ellen Nakashima contributed to this report.